Piwigo Bugtracker

Viewing Issue Advanced Details Jump to Notes ] Issue History ] Print ]
ID Category Severity Reproducibility Date Submitted Last Update
0001973 [Piwigo] security minor have not tried 2010.10.29 23:45 2010.10.30 00:37
Reporter plg View Status public  
Assigned To plg
Priority normal Resolution fixed Platform
Status closed   OS
Projection none   OS Version
ETA none Fixed in Version 2.1.4 Product Version 2.1.3
  Target Version 2.1.4 Product Build
Summary 0001973: [comments.php] SQL query on error (and displayed) when category id is unknown
Description On comments.php, the category_id is transmitted with a $_GET parameter and if the user set a non-existing category_id then Piwigo generates an SQL syntax error and the SQL query is displayed.

There is no vulnerability but we should avoid the SQL syntax error if we know the category doesn't exist!
Steps To Reproduce
Additional Information
Tags No tags attached.
browser any
Database engine and version
PHP version
Web server Apache 1.3.x
Attached Files

- Relationships

-  Notes
(0004410)
svn (reporter)
2010.10.30 00:33

[Subversion] r7487 by plg on branch 2.1

-----[Subversion commit log]----------------------------------------------------
bug 1973 fixed: aboid SQL syntax error if the category id given in the URL is
unknown.
(0004411)
svn (reporter)
2010.10.30 00:34

[Subversion] r7488 by plg on trunk

-----[Subversion commit log]----------------------------------------------------
merge r7487 from branch 2.1 to trunk

bug 1973 fixed: aboid SQL syntax error if the category id given in the URL is
unknown.


- Issue History
Date Modified Username Field Change
2010.10.29 23:45 plg New Issue
2010.10.29 23:45 plg Status new => assigned
2010.10.29 23:45 plg Assigned To => plg
2010.10.29 23:45 plg browser => any
2010.10.29 23:45 plg Web server => Apache 1.3.x
2010.10.30 00:33 svn Checkin
2010.10.30 00:33 svn Note Added: 0004410
2010.10.30 00:34 svn Checkin
2010.10.30 00:34 svn Note Added: 0004411
2010.10.30 00:37 plg Status assigned => closed
2010.10.30 00:37 plg Resolution open => fixed
2010.10.30 00:37 plg Fixed in Version => 2.1.4


Mantis 1.1.6[^]
Copyright © 2000 - 2008 Mantis Group
Contact
Powered by Mantis Bugtracker